Once upon a network dreary – the branch firewall’s tale of doom
As Halloween approaches, I can’t help but let my mind wander to the macabre. I imagine dense fog blanketing a cemetery. I see crumbling tombstones, dank mausoleums, and a spooky boneyard of rusted-out firewalls…lifeless appliances that shall offer branch protection nevermore.
But long before Halloween was upon us, people were raising the question about whether appliance-based firewalls had reached the end of their useful life. Maria Korolov1 broached the topic in DataCenter Knowledge, and Andrew Plato2 recently brought it up as well.
In a world where applications have moved to the cloud, it only makes sense for firewalls to move to the cloud as well. The appliance-based branch firewall appears to be doomed to a slow, painful death and left to haunt the halls your branch offices.
The beginning of the end of the NGFW
As users left the network and applications moved to the cloud, the network perimeter began to crumble, and enterprise security began to lose its effectiveness. And things were worse for branch offices, which had to force traffic through a centralized or regional internet gateway to reach cloud apps. Such backhauling over MPLS is expensive and often results in bottlenecks that slow access to cloud apps and create a user experience that is simply ghastly.
Another challenge creeping up on network and security operations teams is SSL traffic. Today, 70% of traffic across the Zscaler cloud is encrypted, and Google reports that 90% of pages loaded in Google Chrome are HTTPS encrypted3. But, inspecting SSL traffic with appliances is a performance killer due to limitations in those devices’ ability to decrypt, inspect, and re-encrypt that traffic. Yet, you can’t afford not to inspect it—bad actors have been watching, and now they’re hiding their malware in encrypted traffic.
As a result of these changes and others, the old practice of protecting the network has become increasingly irrelevant. Instead, you need to establish secure, direct-to-cloud connections for all users. Here’s why NGFW appliances and virtualized appliances are doomed.
To provide consistent security and user experience with traditional appliances, you would need to clone your HQ security appliance stack at each of your branch locations. It is highly unlikely that you can justify this expense, and as users access more and more cloud applications, traffic growth will require costly hardware refreshes.
Even if you could afford to deploy appliances everywhere, your problems would persist. Cloud apps establish a high number of long-lived connections and, as the use of cloud apps increases, the number of those long-lived connections will rise, overwhelming even the latest appliances.
Another challenge is related to management. In branch offices, there’s a tendency to vary appliance capacities based upon the number of users and anticipated traffic volume. But if you have different NGFW appliances at different locations, you will end up having policy tailored to each location, which increases the complexity of maintaining consistent policy across your network and makes troubleshooting more difficult.
All these reasons signal the death spiral of the branch firewall appliance. So, if you can’t deploy appliances to every location. What is left to consider?
VMs: A trick or a treat?
Virtualized firewalls, VNF, or virtualized machines may seem to be a more cost-effective approach for providing firewall functionality at the branch than their physical counterparts. However, when it comes to firewalls, virtualization is NOT a solution for better security. Virtualized firewalls suffer from the same issues as their physical counterparts in SSL inspection, long-lived connections, and upgrade requirements. This all leads to negative performance impacts and increasing costs as traffic bandwidth increases.
On top of the normal appliance challenges, you have the additional challenge and overhead of orchestrating the entire lifecycle of the VNF. If you have a bunch of VNFs coexisting you must worry about the management of the virtual function itself—in this case, VFW.
There’s no need to be frightened
As you migrate to cloud applications, you will realize you can’t rely on antiquated technologies designed for a different era. But not all Halloween tales must have a gruesome end. With Zscaler Cloud Firewall, you can move security and access controls to the cloud and deliver all the next-gen firewall capabilities needed in a modern business—without the cost, complexity, and management nightmares of appliances and virtualized solutions.
To learn more about how Zscaler Cloud Firewall can help you provide a fast and secure user experience for all your employees, read our Cloud Firewall eBook.
- - - - - - - - - - - - - - - - - - -
Jen Toscano is Sr. Product Marketing Manager at Zscaler.